Why every director must watch Zero Days

19 Mar, 2018

Zero Days is a documentary about Stuxnet, which is a worm designed specifically to target industrial control systems. It’s what we might call a cyberweapon – a piece of software specifically designed to attack physical infrastructure and cause catastrophic damage.

Get an unfair advantage

The best from The Resolution, delivered to your inbox every month.

The Internet of Things is utterly pervasive. It’s embedded into many of our daily micro transactions: opening a garage door, tapping on to public transport. But it goes so far beyond that. It’s the sensors of an autonomous vehicle. It’s the control system that runs a gas plant. It’s the mechanism that drives the gates of a large dam.

In other words, it has the potential to create serious danger.

Zero Days is a documentary about Stuxnet, which is a worm designed specifically to target industrial control systems. It was first identified in 2010, but it seems to have infiltrated these systems several years earlier. It’s what we might call a cyberweapon – a piece of software specifically designed to attack physical infrastructure and cause catastrophic damage.

The titular “zero day” is a previously undiscovered vulnerability in a system, one that is exploited without prior warning. What’s interesting about Stuxnet is that it was never intended to attack widely. Reports from 2011 said it was “a marksman’s job” – designed only to harm industrial systems with very specific configurations (centrifuges operating in Iran’s nuclear weapons program).

Why am I telling you about this? What the movie Zero Days does is describe a worm that penetrated a protected industrial system with no connection to the internet. It was created with a clear destructive purpose, and it successfully jumped into an air-gapped system of centrifuges. Given the amount of money most of our companies have spent on perimeter security, that’s a scary prospect.

As directors, we spend a great deal of time and money mitigating risks. For the most part, we are protecting organisations from known risks, or from conceivable dangers. Zero Days teaches us that we have a much broader set of technical risks to consider. While Stuxnet was used to disrupt the Iranian nuclear systems, it’s not hard to imagine how else the Internet of Things could be exploited in the future.

To understand the real world impact of the Internet of Things, I recommend directors watch Zero Days and Snowden together. The latter shows – with alarming clarity – the true application of this kind of vulnerability. And it’s a great movie! Hard-working directors need a little time to unwind with a Hollywood action flick.

The Internet of Things is easily abstracted. It can become a bit of a sexy buzzword, the kind of term thrown around in a board room without real meaning. That in itself should be considered a danger. Directors who talk about the Internet of Things without questioning it risk plural ignorance – a collective misunderstanding, where no one wants to put their hand up and say, “I don’t get it.”

Directors need to take control of the conversation. Instead of panicking about the very idea of the Internet of Things, they need to unpack it. It’s crucial to consider the specific elements that relate to this organisation, and to these systems. Any piece of kit that’s got a programmable logic controller has the potential to be violated. This isn’t about understanding that the Internet of Things exists, but about how it’s creating vulnerabilities within your discrete organisation.

Zero Days may help to concrete those ideas, and to bring light to new and critical considerations. It’s quick, practical, and might just save your systems.